github.com/criyle/go-sandbox@v0.10.3/cmd/runprog/config/config.go (about) 1 package config 2 3 // This file includes configs for the run program settings 4 5 var ( 6 // default read permission files 7 defaultReadableFiles = []string{ 8 "/etc/ld.so.nohwcap", 9 "/etc/ld.so.preload", 10 "/etc/ld.so.cache", 11 "/usr/lib/locale/locale-archive", 12 "/proc/self/exe", 13 "/etc/timezone", 14 "/usr/share/zoneinfo/", 15 "/dev/random", 16 "/dev/urandom", 17 "/proc/meminfo", 18 "/etc/localtime", 19 } 20 21 // default write permission files 22 defaultWritableFiles = []string{"/dev/null"} 23 24 // default allowed safe syscalls 25 defaultSyscallAllows = []string{ 26 // file access through fd 27 "read", 28 "write", 29 "readv", 30 "writev", 31 "close", 32 "fstat", 33 "lseek", 34 "dup", 35 "dup2", 36 "dup3", 37 "ioctl", 38 "fcntl", 39 "fadvise64", 40 "pread64", 41 "pwrite64", 42 43 // memory action 44 "mmap", 45 "mprotect", 46 "munmap", 47 "brk", 48 "mremap", 49 "msync", 50 "mincore", 51 "madvise", 52 53 // signal action 54 "rt_sigaction", 55 "rt_sigprocmask", 56 "rt_sigreturn", 57 "rt_sigpending", 58 "sigaltstack", 59 60 // get current work dir 61 "getcwd", 62 63 // process exit 64 "exit", 65 "exit_group", 66 67 // others 68 "arch_prctl", 69 70 "gettimeofday", 71 "getrlimit", 72 "getrusage", 73 "times", 74 "time", 75 "clock_gettime", 76 77 "restart_syscall", 78 } 79 80 // default syscalls to trace 81 defaultSyscallTraces = []string{ 82 // execute file 83 "execve", 84 "execveat", 85 86 // file open 87 "open", 88 "openat", 89 90 // file delete 91 "unlink", 92 "unlinkat", 93 94 // soft link 95 "readlink", 96 "readlinkat", 97 98 // permission check 99 "lstat", 100 "stat", 101 "access", 102 "faccessat", 103 } 104 105 // process related syscall if allowProc enabled 106 defaultProcSyscalls = []string{"clone", "fork", "vfork", "nanosleep", "execve"} 107 108 // config for different type of program 109 // workpath and arg0 have additional read / stat permission 110 runptraceConfig = map[string]ProgramConfig{ 111 "python2.7": { 112 Syscall: SyscallConfig{ 113 ExtraAllow: []string{ 114 "futex", "getdents", "getdents64", "prlimit64", "getpid", "sysinfo", 115 }, 116 ExtraCount: map[string]int{ 117 "set_tid_address": 1, 118 "set_robust_list": 1, 119 }, 120 }, 121 FileAccess: FileAccessConfig{ 122 ExtraRead: []string{ 123 "/usr/bin/python2.7", 124 "/usr/lib/python2.7/", 125 "/usr/bin/lib/python2.7/", 126 "/usr/local/lib/python2.7/", 127 "/usr/lib/pymodules/python2.7/", 128 "/usr/bin/Modules/", 129 "/usr/bin/pybuilddir.txt", 130 "/usr/lib/locale/", 131 "./answer.code", 132 }, 133 ExtraStat: []string{ 134 "/usr", "/usr/bin", 135 }, 136 }, 137 RunCommand: []string{"/usr/bin/python2.7", "-E", "-s", "-B"}, 138 }, 139 "python3": { 140 Syscall: SyscallConfig{ 141 ExtraAllow: []string{ 142 "futex", "getdents", "getdents64", "prlimit64", "getpid", "sysinfo", "getrandom", 143 }, 144 ExtraCount: map[string]int{ 145 "set_tid_address": 1, 146 "set_robust_list": 1, 147 }, 148 }, 149 FileAccess: FileAccessConfig{ 150 ExtraRead: []string{ 151 "/usr/bin/python3", 152 "/usr/lib/python3/", 153 "/usr/bin/python3.6", 154 "/usr/lib/python3.6/", 155 "/usr/bin/lib/python3.6/", 156 "/usr/local/lib/python3.6/", 157 "/usr/bin/pyvenv.cfg", 158 "/usr/pyvenv.cfg", 159 "/usr/bin/Modules", 160 "/usr/bin/pybuilddir.txt", 161 "/usr/lib/dist-python", 162 "/usr/lib/locale/", 163 "./answer.code", 164 }, 165 ExtraStat: []string{ 166 "/usr", "/usr/bin", "/usr/lib", "/usr/lib/python36.zip", 167 }, 168 }, 169 RunCommand: []string{"/usr/bin/python3", "-I", "-B"}, 170 }, 171 "compiler": { 172 Syscall: SyscallConfig{ 173 ExtraAllow: []string{ 174 "gettid", "set_tid_address", "set_robust_list", "futex", 175 "getpid", "vfork", "fork", "clone", "execve", "wait4", 176 "clock_gettime", "clock_getres", 177 "setrlimit", "pipe", 178 "getdents64", "getdents", 179 "umask", "rename", "chmod", "mkdir", 180 "chdir", "fchdir", 181 "ftruncate", 182 "sched_getaffinity", "sched_yield", 183 "uname", "sysinfo", 184 "prlimit64", "getrandom", 185 "fchmodat", 186 }, 187 ExtraBan: []string{"socket", "connect", "geteuid", "getuid"}, 188 }, 189 FileAccess: FileAccessConfig{ 190 ExtraWrite: []string{ 191 "/tmp/", "./", 192 }, 193 ExtraRead: []string{ 194 "./", 195 "../runtime/", 196 "/etc/oracle/java/usagetracker.properties", 197 "/usr/", 198 "/lib/", 199 "/lib64/", 200 "/bin/", 201 "/sbin/", 202 "/sys/devices/system/cpu/", 203 "/proc/", 204 "/etc/timezone", 205 "/etc/fpc-2.6.2.cfg.d/", 206 "/etc/fpc.cfg", 207 "/*", 208 "/", // system_root 209 }, 210 ExtraBan: []string{ 211 "/etc/nsswitch.conf", 212 "/etc/passwd", 213 }, 214 }, 215 }, 216 } 217 )